librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Ignore multiple CVEs due to missing deps in python:3.11-alpine

This commit is contained in:
Théophile Diot 2023-02-16 14:16:32 +01:00
parent 846e26e410
commit 0f35c05eee
No known key found for this signature in database
GPG Key ID: E752C80DB72BB014
6 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/dev.yml vendored
View File

@ -47,7 +47,7 @@ jobs:
exit-code: 1
ignore-unfixed: false
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
#trivyignores: .trivyignore
trivyignores: .trivyignore
# BW scheduler tests
scheduler:
@ -91,7 +91,7 @@ jobs:
exit-code: 1
ignore-unfixed: false
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
#trivyignores: .trivyignore
trivyignores: .trivyignore
# BW autoconf tests
autoconf:
@ -135,7 +135,7 @@ jobs:
exit-code: 1
ignore-unfixed: false
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
#trivyignores: .trivyignore
trivyignores: .trivyignore
# BW UI tests
ui:
@ -180,7 +180,7 @@ jobs:
exit-code: 1
ignore-unfixed: false
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
#trivyignores: .trivyignore
trivyignores: .trivyignore
# Python code security
code-security:

4
.trivyignore Normal file
View File

@ -0,0 +1,4 @@
# libcurl 7.87.0-r2 and curl 7.87.0-r2 are not yet available in python:3.11-alpine
CVE-2023-23916
CVE-2023-23914
CVE-2023-23915

2
src/autoconf/Dockerfile
View File

@ -54,7 +54,7 @@ RUN apk add --no-cache bash && \
chmod 770 /var/log/letsencrypt /var/lib/letsencrypt
# Fix CVEs
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
VOLUME /data /etc/nginx

10
src/bw/Dockerfile
View File

@ -4,22 +4,22 @@ FROM nginx:1.22.1-alpine AS builder
COPY src/deps /tmp/bunkerweb/deps
# Compile and install dependencies
RUN apk add --no-cache --virtual build bash build autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev && \
RUN apk add --no-cache --virtual .build-deps bash autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev && \
mkdir -p /usr/share/bunkerweb/deps && \
chmod +x /tmp/bunkerweb/deps/install.sh && \
bash /tmp/bunkerweb/deps/install.sh && \
apk del build
apk del .build-deps
# Copy python requirements
COPY src/common/gen/requirements.txt /usr/share/bunkerweb/deps/requirements.txt
# Install python requirements
RUN apk add --no-cache --virtual build py3-pip && \
RUN apk add --no-cache --virtual .build-deps py3-pip && \
pip install --no-cache-dir --upgrade pip && \
pip install wheel && \
mkdir -p /usr/share/bunkerweb/deps/python && \
pip install --no-cache-dir --require-hashes --target /usr/share/bunkerweb/deps/python -r /usr/share/bunkerweb/deps/requirements.txt && \
apk del build
apk del .build-deps
FROM nginx:1.22.1-alpine
@ -75,7 +75,7 @@ RUN apk add --no-cache pcre bash python3 && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "openssl>=1.1.1q-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
RUN apk add "openssl>=1.1.1q-r0" "curl>=7.83.1-r6" "libcurl>=7.83.1-r6" "git>=2.36.5-r0"
VOLUME /data /etc/nginx

2
src/scheduler/Dockerfile
View File

@ -64,7 +64,7 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
VOLUME /data /etc/nginx

2
src/ui/Dockerfile
View File

@ -50,7 +50,7 @@ RUN apk add --no-cache bash && \
chmod 660 /usr/share/bunkerweb/INTEGRATION
# Fix CVEs
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "curl>=7.87.0-r2" "libcurl>=7.87.0-r2" "git>=2.36.5-r0"
RUN apk add "libssl1.1>=1.1.1q-r0" "libcrypto1.1>=1.1.1q-r0" "libxml2>=2.9.14-r1" "expat>=2.5.0-r0" "git>=2.36.5-r0"
VOLUME /data /etc/nginx